Active Directory, Audit, PowerShell

Active Directory Audit Checklist: Privileged Access & Inactive User Reviews with PowerShell

Leave a comment

🧾 Kapothi Audit Scroll: Forgotten Access Reviews

Auditors flagged: “User access reviews and privileged access reviews are not being conducted for users within Active Directory.” — a classic Kapothi moment.

When auditors raise this finding, it means the organization has not been regularly checking who has access to Active Directory and whether those users still need it. In practice, accounts may remain active long after employees leave, contractors finish projects, or service accounts are created without proper documentation. Privileged groups like Domain Admins or Enterprise Admins may also accumulate members who no longer require elevated rights. This creates a serious security gap — attackers love stale accounts and unused privileges because they are rarely monitored.

The IT department’s responsibility is to close this gap by:

  • Reviewing privileged groups — Identify all members of high‑risk groups and confirm with management that each one still requires access.
  • Checking inactive accounts — Generate reports of users who haven’t logged in for 30 or 60+ days, then disable or remove them after manual review.
  • Documenting approvals — Keep CSV exports and manager sign‑offs as audit evidence to prove reviews are being conducted.
  • Maintaining service accounts — Ensure every service account has a clear owner, documented purpose, and is excluded from bulk disable actions.
  • Repeating regularly — Schedule these reviews (monthly or quarterly) so auditors see a consistent compliance routine.

In short, the audit flag is a warning that access hygiene has slipped. The IT team must demonstrate control by producing evidence of reviews, showing that inactive accounts are cleaned up, and proving that privileged access is tightly managed. That’s how the Kapothi moment is turned into compliance success.

⚡ Privileged Access Review


  # List privileged accounts
  Get-ADGroup -Filter {Name -like "*Admin*"} |
  ForEach-Object { Get-ADGroupMember $_ |
  Select-Object @{Name="Group";Expression={$_.objectClass}}, Name, SamAccountName }

⚡ Inactive User Review (30 Days)


# Find enabled accounts inactive for 30 days
Search-ADAccount -UsersOnly -AccountInactive -TimeSpan 30.00:00:00 |
Where-Object { $_.Enabled -eq $true } |
Select-Object Name, SamAccountName, LastLogonDate


# Export inactive accounts (30 days) to CSV for audit evidence
Search-ADAccount -UsersOnly -AccountInactive -TimeSpan 30.00:00:00 |
Where-Object { $_.Enabled -eq $true } |
Select-Object Name, SamAccountName, LastLogonDate |
Export-Csv "InactiveUsers_30Days.csv" -NoTypeInformation

⚡ Optional Cleanup (Disable 60+ Days)


# OPTIONAL ⚠️ Cleanup Command
# Risk: This can disable service accounts or rarely used but valid accounts.
# Recommended: First run the 30-day inactive user listing command above, review manually,
# and only disable accounts after confirming they are safe to remove.
Search-ADAccount -UsersOnly -AccountInactive -TimeSpan 60.00:00:00 |
Where-Object { $_.Enabled -eq $true } |
Disable-ADAccount

⚡ Sensitive Group Memberships


  # Export key group memberships
  $groups="Domain Admins","Enterprise Admins","Schema Admins","Remote Desktop Users","Backup Operators";
  $groups | ForEach-Object {
    Get-ADGroupMember -Identity $_ |
    Select-Object @{Name="Group";Expression={$_}},Name,SamAccountName
  } | Export-Csv "AD_GroupMemberships.csv" -NoTypeInformation

⚡ Full AD Group Memberships (One Line)


  # Export all groups with members
  Get-ADGroup -Filter * | ForEach-Object { $g=$_.Name; 
    Get-ADGroupMember $g |
    Select-Object @{Name="Group";Expression={$g}},Name,SamAccountName 
  } | Export-Csv "All_AD_GroupMemberships.csv" -NoTypeInformation

Thus the Kapothi was resolved: from audit red flag to compliance evidence, with scrolls of PowerShell wisdom.

Leave a Reply

Your email address will not be published. Required fields are marked *

Are you human? Please solve:Captcha